Multiple vulnerabilities exist in the Cisco Firewall Services Module
(FWSM). These vulnerabilities occur in the processing of specific Hypertext
Transfer Protocol (HTTP), Secure HTTP (HTTPS), Session Initiation Protocol
(SIP), and Simple Network Management Protocol (SNMP) traffic. If verbose
logging is enabled for debugging purposes, a vulnerability exists when the FWSM
processes packets destined to itself. All of these vulnerabilities may result
in a reload of the device.

An additional vulnerability is included in this advisory in which the
manipulation of access control lists (ACLs) that make use of object groups may
corrupt the ACL and create a situation where unwanted traffic may be permitted
or desirable traffic may be blocked.

These vulnerabilities are independent of each other; a release that is
affected by one vulnerability is not necessarily affected by the others.

There are workarounds for some of the vulnerabilities disclosed in
this advisory.

Cisco has made free software available to address this issue for
affected customers.

The relationship between the vulnerabilities described in this
advisory and the equivalent vulnerabilities in the Cisco PIX 500 Series
Security Appliances and Cisco ASA 5500 Series Adaptive Security Appliances is
given in the following table. If a vulnerability discussed in this document is
not present in this table, it does not affect the Cisco
PIX 500 Series Security Appliances and Cisco ASA 5500 Series Adaptive Security
Appliances.

In this example, the FWSM is running version 2.3(1) as indicated by
the column under "Sw" above.

Note: recent versions of IOS will show the software version of each module
in the output from the show module command so
executing the show module <slot number>
command is not necessary.

Alternatively, the information may also be gained directly from the
FWSM through the show version command:

FWSM#show version
FWSM Firewall Version 2.3(1)

For customers managing their FWSM through the PIX Device Manager (PDM)
or the Cisco Adaptive Security Device Manager (ASDM), log into the application,
and the version may be found either in the table in the login window or in the
upper left hand corner of the PDM/ASDM window indicated by a label similar to:

With the exception of the Cisco PIX 500 Series Security Appliances and
the Cisco ASA 5500 Series Adaptive Security Appliances, no other Cisco products
are known to be vulnerable to the issues described in this advisory.

The Cisco Firewall Services Module is a high-speed, integrated
firewall module for Catalyst 6500 series switches and Cisco 7600 series
routers. It offers firewall services with stateful packet filtering and deep
packet inspection.

Multiple vulnerabilities exist in certain versions of the FWSM
software that may cause the device to unexpectedly reload or that may cause
traffic to be permitted or denied contrary to the security policy in place.

1. Enhanced Inspection of Malformed HTTP Traffic May Cause Reload

This vulnerability may cause a FWSM to reload when the FWSM performs
enhanced inspection of HTTP requests, and a malformed HTTP
request is inspected by the FWSM. The FWSM only performs enhanced inspection of
HTTP traffic when the command inspect http
<appfw> is present in the configuration
(appfw is the name of a specific HTTP map.) This command
is disabled by default.

Note: Enhanced inspection of HTTP traffic is what makes a configuration
affected. Regular inspection of HTTP traffic (through the command
inspect http without an HTTP map) will not make a
configuration affected by this vulnerability.

For information on what enhanced inspection of HTTP traffic does, and
how to configure it, please refer to the following URL:

2. Inspection of Malformed SIP Messages May Cause Reload

This vulnerability may cause a FWSM to reload when a malformed SIP
message is received (over Transmission Control Protocol [TCP] or over User
Datagram Protocol [UDP]) and deep packet inspection of SIP messages is enabled
through the commands fixup protocol sip
<portnum> for SIP over TCP and/or fixup
protocol sip udp <portnum> for SIP
over UDP (in FWSM software 2.3.x and before) or through the command
inspect sip (in FWSM software 3.x and later). SIP
fixup (in 2.x and earlier) and SIP inspection (in 3.x and later) are enabled by
default.

3. Processing of Packets Destined to the FWSM May Cause Reload

This vulnerability will cause the FWSM to reload when trying to
generate syslog message 710006. For this to happen the following two conditions
must be satisfied:

The FWSM receives a packet for one of the device's IP addresses and
the message is not one of the following protocols: TCP, UDP, ICMP, OSPF,
Failover, PIM, IGMP, and ESP. The source of the packet is not relevant.

Logging must be enabled at a level high enough to generate syslog
message 710006. By default this is debugging level (level 7). Please note that
logging is disabled by default, and Cisco recommends customers only log at
debugging level for debugging and troubleshooting purposes.

Note: The documentation for the Cisco Security Monitoring, Analysis and
Response System (CS-MARS) suggests logging at the debugging level so more
events can be reported by the firewall.

For more information on syslog message 710006 please refer to the
following document:

4. Processing of Malformed HTTPS Requests May Cause Reload

This vulnerability may cause the FWSM to reload when a user tries to
access a web site and the network administrator has configured the device to
authenticate users before granting them network access. This feature is known
as "authentication for network access", or auth-proxy, and
is enabled through the command aaa authentication
match or aaa authentication include.

The reload is actually triggered by a specific HTTPS request that is
invalid, and therefore, unlikely to be generated by a regular web browser.

5. Processing of Long HTTP Requests May Cause Reload

This vulnerability may also cause the FWSM to reload when the
administrator has enabled "authentication for network access ("auth-proxy")
through the commands aaa authentication match or
aaa authentication include. However, in this case,
the HTTP request that causes the reload is valid, although it is not a normal
request in the sense that the URL being requested is very long. A web browser
could potentially generate such a request during regular browsing.

6. Processing of HTTPS Traffic May Cause Reload

This vulnerability may cause a FWSM to reload when the FWSM receives a
particular type of HTTPS traffic directed to the FWSM itself. This is only a
concern when the HTTPS server on the FWSM is enabled through the command
http server enable. This command is disabled by
default.

Cisco is aware of a commercial vulnerability scanner that can generate
the HTTPS traffic that triggers the reload. We are not aware of regular web
browser traffic that triggers this bug.

7. Processing of Malformed SNMP Requests May Cause a Reload

This vulnerability may cause a FWSM to reload upon receipt of a
malformed SNMP message from a trusted device. The trusted device must be
allowed explicit SNMP poll access via the command snmp-server host
<interface name> <IP of trusted device>.

8. Manipulation of ACL May Cause ACL Corruption

This vulnerability may cause access control entries (ACEs) in an ACL
to be evaluated out of order, or not to be evaluated. This ACL corruption is
manifested, besides the obvious traffic implications, when the output from the
show access-list command and the corresponding ACL
shown by the show running-config command appear to
be out of sync. Only a manual reload of the device will cause this condition to
go away.

The ACL corruption occurs when an ACL that makes use of object groups
is manipulated.

Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.

In all cases, with the exception of the "Manipulation of ACL May Cause
ACL Corruption" vulnerability, successful exploitation of any vulnerability may
cause a reload of the affected device. Repeated exploitation could result in a
sustained Denial-of-Service (DoS) condition.

In the case of the "Processing of Long HTTP Requests May Cause Reload"
vulnerability (CSCsd91268),
the reload occurs because a stack-based buffer is overflowed. In this case
remote code execution may be possible.

In the case of the "Manipulation of ACL May Cause ACL Corruption"
vulnerability, a device that becomes affected after an administrator
manipulates an ACL with object groups may allow traffic that would normally be
denied, or would deny traffic that would normally be permitted. If the ACL is
used for other functions like NAT (policy NAT and NAT exemption), AAA
(auth-proxy), control of access to the device (SSH, Telnet, HTTP, ICMP), then
those functions may be adversely affected as well.

When considering software upgrades, also consult
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete upgrade
solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current hardware and
software configurations will continue to be supported properly by the new
release. If the information is not clear, contact the Cisco Technical
Assistance Center ("TAC") or your contracted maintenance provider for
assistance.

Each row of the FWSM software table (below) describes one of the
vulnerabilities described in this document. For each vulnerability the earliest
possible release that contains the fix (the "First Fixed Release") and the
anticipated date of availability for each are listed in the "First Fixed
Release" column. A device running a release that is earlier than the release in
a specific column (less than the First Fixed Release) is known to be
vulnerable. The release should be upgraded at least to the indicated release or
a later version (greater than or equal to the First Fixed Release label).

1. Enhanced Inspection of Malformed HTTP Traffic May Cause Reload

It is possible to mitigate this vulnerability by disabling enhanced
inspection of HTTP traffic. Please note that disabling HTTP enhanced inspection
will prevent the FWSM from protecting against specific attacks and other
threats that may be associated with HTTP traffic. Enhanced inspection of HTTP
traffic is disabled by removing the command inspect http
<appfw> from the configuration, where
appfw is the name of an HTTP map.

For further information about the inspect http
<appfw> command, and the type of checks it performs on HTTP
traffic, please see the documentation for this command at:

Please note that the command inspect http
(without an HTTP map) can be left in the configuration and the device will not
be affected by this vulnerability.

2. Inspection of Malformed SIP Messages May Cause Reload

It is possible to mitigate this vulnerability by disabling deep packet
inspection ("fixup" in software version prior to 3.x or "inspect" in software
version 3.x and later) of SIP messages. In FWSM software 2.x and earlier, it is
necessary to use both no fixup protocol sip and
no fixup protocol sip udp to stop deep packet
inspection of SIP messages over TCP and UDP transport (in FWSM 3.x and later
no inspect sip will stop deep packet inspection of
SIP messages over both TCP and UDP.) Note, however, that this may have negative
impact on devices terminating SIP sessions since SIP traffic will no longer
undergo stateful application inspection, and devices which terminate sessions
for this protocol will be exposed to packets that may cause these devices to
crash or become compromised.

If you are running a 3.x FWSM software release, then the alternative
is to allow traffic only from the trusted hosts. The configuration to
accomplish this is as follows:

In this example SIP endpoints are any host within 10.1.1.0 network
(inside the trusted network) and a host with the IP address of 192.168.5.4
(outside of the trusted network). You would have to substitute these IP
addresses with the ones that are used in your network.

Please note that SIP is an UDP-based protocol, so spoofing SIP
messages is possible.

3. Processing of Packets Destined to the FWSM May Cause Reload

Since this vulnerability only manifests itself when syslog message
710006 is generated, it is possible to workaround the vulnerability either by
disabling generation of syslog message 710006 altogether, or by logging at a
syslog level that is lower than the syslog level at which this message is
generated.

By default, syslog message 710006 is generated at syslog level 7
("debugging"), so a viable workaround is to log at level 6 or lower. This can
be accomplished with the command logging <destination>
6. If syslog message 710006 has been moved to a different logging
level, then the logging level in use must be changed accordingly to prevent the
message from being generated.

If logging at the "debugging" level is necessary, the vulnerability
can also be eliminated by disabling this particular syslog message by using the
command no logging message 710006.

4. Processing of Malformed HTTPS Requests May Cause Reload

There are no workarounds for this vulnerability.

5. Processing of Long HTTP Requests May Cause Reload

There are no workarounds for this vulnerability.

6. Processing HTTPS Traffic May Cause a Reload

Since this vulnerability is caused by the HTTPS server on the FWSM
failing to handle certain types of HTTPS traffic, disabling the HTTPS server
through the command no http server enable is a valid
workaround if this functionality is not needed. Please note that this
functionality is used by ASDM, so if configuration of the FWSM is exclusively
done through ASDM disabling the HTTPS server may not be a viable workaround.

Additionally, it is possible to limit the exposure by allowing HTTPS
connections only from trusted IP addresses or networks. This can be
accomplished with the http command. For example, the
following command:

FWSM(config)# http 192.168.1.10 255.255.255.255 inside

will only permit HTTPS connections from the IP address 192.168.1.10.

7. Processing of Malformed SNMP Requests May Cause a Reload

This bug can only be triggered by a malformed SNMP message that comes
from a device that is allowed SNMP access on the FWSM. If SNMP is not needed it
can be removed through the command no snmp-server host
<interface name> <IP address of trusted device>,
which will eliminate the vulnerability.

8. Manipulation of ACL May Cause ACL Corruption

There are no workarounds for this vulnerability. However, please note
that the ACL corruption does not occur during normal operation of the device
and it cannot be triggered by some type of traffic. It can only occur if an
administrator makes configuration changes (and more specifically, if an
administrator manipulates an ACL.) For this reason, if ACL changes are made
only during a maintenance window, and the FWSM is reloaded after making those
changes, there should not be any concerns with this vulnerability.

Cisco has released software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.

Customers with contracts should obtain software through their regular update channels. For most customers, software patches and bug fixes should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain software patches and bug fixes by contacting the Cisco Technical Assistance Center (TAC). TAC
contacts are as follows.

+1 800 553 2447 (toll free from within North America)

+1 408 526 7209 (toll call from anywhere in the world)

e-mail: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this notice as evidence of entitlement to a software patch or bug fix. Customers without service contracts should request a software patch or bug fix through the TAC.

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

Some of these vulnerabilities where reported to Cisco by customers
that experienced these issues during normal operation of their equipment. The
other vulnerabilities were discovered during internal testing.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

In addition to worldwide web posting, a text version of
this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

cust-security-announce@cisco.com

first-teams@first.org

bugtraq@securityfocus.com

vulnwatch@vulnwatch.org

cisco@spot.colorado.edu

cisco-nsp@puck.nether.net

full-disclosure@lists.grok.org.uk

comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
above URL for any updates.

Added information about CSCsd50667 - duplicate of CSCse99740 - to
be consistent with the FWSM release notes.

Revision 1.3

2007-Feb-23

Clarify that the "Inspection of Malformed SIP Messages May Cause
Reload" vulnerability affects SIP traffic over both TCP and UDP transport, and
that a configuration may be affected for both, depending on the commands used.
The workaround of disabling SIP may also require removing two
commands.

Revision 1.2

2007-Feb-21

It was incorrectly stated in previous versions of this document
that SIP inspection is disabled by default in FWSM 3.x software. The advisory
has been revised to make it clear that the "Inspection of Malformed SIP
Messages May Cause Reload" vulnerability affects the default configuration in
both 2.x and 3.x software.